Standard practice is generally a good thing. It means you’re dealing with a common set of circumstances in a manner that’s been adopted before. You know how the process works, you know what the outcome was last time, and the approach is now so well known it’s become both instinctive and practical.
But sometimes, standard practice isn’t so sensible. It’s simply the way we do things round here – and doing things a certain way just because it’s become the norm doesn’t always make it right.
Complete and repeat. And again. And again…
I can think of no better instance than auditing. Consider this example. Let’s say we have an insurance company in the US. It does business and reports its figures in all 50 states and it has to report to regulatory bodies twice a year. So, how many audits does it do? Two? No. Each state has to conduct its own audit – so that’s 100 audits a year in 50 states, each which carries significant overlaps in reporting criteria and possibly also in values.
Think how much work is involved here. In fact, think how much unnecessary work is involved – not just for the insurance company but for any outsourced service provider it’s engaged and also for the federal and state bodies to whom it reports.
Here at Capgemini we work for a number of national and international organizations so we have a broader view than any one of them – and we see instances of this all the time. The effort required and the costs involved are eye-watering. What’s more, because they work with us, our clients have to be assured that we have effective controls in our environment as well.
The way ahead?
Isn’t it time for us all to work together to create a new standard practice – a practice that is no less rigorous in terms of governance but way less cumbersome? A workshop involving federal and state governments, business organizations and service providers could establish a framework to reduce the number of audits needed. Involving representatives from the Big Four accountancy firms would enable all parties to develop a list of checks for certification that could be universally applicable across state lines. Even if such a framework had to carry caveats for exceptions – and that’s likely – it would still be far less onerous than conducting multiple audits in their entirety. It would save time, reduce costs and effort and increase productivity for every business. What’s more, those same benefits would be felt by government too.
Or we might consider another approach instead of or in addition to this one. Continuous control monitoring gathers auditable information at higher frequencies – perhaps every day, week or two weeks. If auditing becomes part of everyday accounting practice in this way it’s less of an effort than gathering information in retrospect at one or two set points each year. It also reduces risk of error because information is fresh at the point of capture.
A comprehensive alternative report could, with government approval, be signed off by a Big Four firm to ratify a service provider across its whole business instead of on a case-by-case basis.
I suspect the reason this entire issue hasn’t been addressed may be because current processes have made too many of us too busy for too long to be able to stand back, call time out and think about it.
But what do you think? Isn’t it time for a change? Or do we simply preserve the status quo because, well, that’s the way we do things round here?